Dark Web Profile: Fox Kitten

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – Used to gain initial access by exploiting internet-facing VPN and firewall appliances, including newly disclosed CVEs (‘the group has demonstrated a pattern of rapidly weaponizing newly disclosed CVEs in widely deployed VPN and firewall products’).
• [T1133 ] External Remote Services – Used against exposed VPNs and remote access gateways to enter victim environments (‘targeting… VPN concentrators, firewalls, and remote access gateways’).
• [T1110 ] Brute Force – Used as a secondary access path against RDP credentials (‘uses brute force against RDP credentials as a secondary access path’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Used extensively for credential access and payload staging (‘PowerShell is used extensively for credential access and payload staging’).
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Used for account manipulation tasks (‘Windows Command Shell (cmd.exe) has been observed for account manipulation tasks’).
• [T1059 ] Command and Scripting Interpreter: Perl Reverse Shell – Used for C2 communication in some intrusions (‘the group also deploys a Perl reverse shell for C2 communication’).
• [T1569.002 ] System Services: Service Execution – Used PsExec for remote command execution across the network (‘uses PsExec for remote command execution across the network’).
• [T1505.003 ] Server Software Component: Web Shell – Deployed web shells on compromised servers for persistence (‘Web shells … deployed on compromised servers’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Created scheduled tasks to preserve access (‘Scheduled Tasks named to masquerade as legitimate system tasks’).
• [T1136.001 ] Create Account: Local Account – Created local administrator accounts for long-term access (‘Local administrator accounts created with elevated privileges’).
• [T1546.008 ] Event Triggered Execution: Accessibility Features – Abused Sticky Keys to launch a command prompt at login (‘Sticky Keys abuse … replacing accessibility executables’).
• [T1027.010 ] Obfuscated Files or Information: Command Obfuscation – Used Base64 encoding to obscure scripts and payloads (‘Base64 encoding of scripts and payloads’).
• [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Used encoded payloads to hinder analysis (‘Base64 encoding of scripts and payloads’).
• [T1036.004 ] Masquerading: Masquerade Task or Service – Named tasks to look legitimate (‘Scheduled Tasks named to masquerade as legitimate system tasks’).
• [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – Renamed binaries and config files to blend in (‘naming binaries svhost and config files dllhost’).
• [T1070.006 ] Indicator Removal: Timestomp – Altered file metadata to hide artifacts (‘performs timestomping via China Chopper’).
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Used prodump to dump credentials from LSASS (‘uses prodump … to dump credentials from LSASS memory’).
• [T1003.003 ] OS Credential Dumping: NTDS – Used Volume Shadow Copy to extract NTDS.dit for offline AD harvesting (‘leverages Volume Shadow Copy to extract NTDS.dit’).
• [T1555.005 ] Credentials from Password Stores: Password Managers – Read KeePass databases to steal stored secrets (‘reading KeePass databases using targeted scripts’).
• [T1552.001 ] Unsecured Credentials: Credentials In Files – Accessed registry hives and other files for stored credentials (‘accessing ntuser.dat and UserClass.dat registry hives’).
• [T1078 ] Valid Accounts – Leveraged stolen credentials for RDP, SMB, SSH, and VNC lateral movement (‘with valid stolen credentials’).
• [T1087.001 ] Account Discovery: Local Account – Enumerated local accounts during reconnaissance (‘enumerate Active Directory service accounts’).
• [T1087.002 ] Account Discovery: Domain Account – Enumerated domain accounts and AD service accounts (‘enumerate Active Directory service accounts’).
• [T1046 ] Network Service Discovery – Used Nmap and Angry IP Scanner for network discovery (‘Nmap and Angry IP Scanner for network discovery’).
• [T1018 ] Remote System Discovery – Identified internal systems and assets (‘read Chrome browser bookmarks to identify internal resources and assets’).
• [T1083 ] File and Directory Discovery – Used WizTree for file and directory enumeration (‘WizTree for file and directory enumeration’).
• [T1012 ] Query Registry – Accessed registry hives to recover credentials (‘accessing ntuser.dat and UserClass.dat registry hives’).
• [T1217 ] Browser Information Discovery – Read Chrome bookmarks to find internal resources (‘reads Chrome browser bookmarks’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol – Used RDP for lateral movement (‘Lateral movement relies heavily on RDP’).
• [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Used SMB/admin shares to move laterally (‘SMB/Windows Admin Shares’).
• [T1021.004 ] Remote Services: SSH – Used PuTTY and Plink for SSH-based movement (‘SSH (via PuTTY and Plink)’).
• [T1021.005 ] Remote Services: VNC – Deployed TightVNC for remote access (‘VNC (TightVNC server and client deployed on endpoints)’).
• [T1210 ] Exploitation of Remote Services – Used compromised services and RDP/remote access paths to expand control (‘uses brute force against RDP credentials’ and exploits remote access infrastructure).
• [T1570 ] Lateral Tool Transfer – Used PsExec and other tools across hosts (‘PsExec is used for remote service execution across compromised hosts’).
• [T1005 ] Data from Local System – Collected internal documents, email archives, and local files (‘targets credentials, internal documents, email archives’).
• [T1039 ] Data from Network Shared Drive – Gathered data from network shares (‘Data from network shares’).
• [T1530 ] Data from Cloud Storage – Collected contents from cloud storage instances (‘cloud storage contents’).
• [T1213.005 ] Data from Information Repositories: Messaging Applications – Accessed Microsoft Teams messages for intelligence (‘accesses Microsoft Teams to mine communications’).
• [T1560.001 ] Archive Collected Data: Archive via Utility – Used 7-Zip to compress staged data before exfiltration (‘staged using 7-Zip for compression’).
• [T1572 ] Protocol Tunneling – Used reverse proxies and tunneling tools to create outbound tunnels (‘establish outbound tunnels from victim environments’).
• [T1090 ] Proxy – Used FRPC, ngrok, Glider Proxy, ReverseSocks5, Chisel, and MeshCentral as proxying tools (‘reverse proxy tools’).
• [T1102 ] Web Service – Used AWS-hosted infrastructure and social platforms for communication (‘Amazon Web Services has been observed as C2 hosting infrastructure’; ‘KeyBase and Twitter accounts’).
• [T1585 ] Establish Accounts – Used online accounts as part of operations (‘KeyBase and Twitter accounts have also been used’).
• [T1585.001 ] Social Media Accounts – Used Twitter accounts for victim communication (‘Twitter accounts have also been used’).
• [T1041 ] Exfiltration Over C2 Channel – Exfiltrated data through the same C2/tunneled infrastructure (‘prior to exfiltration’).
• [T1486 ] Data Encrypted for Impact – Deployed Pay2Key ransomware against Israeli organizations (‘deployed the custom Pay2Key ransomware’).
• [T1489 ] Service Stop – Included service disruption as part of impact (‘Service Stop’).